-
Notifications
You must be signed in to change notification settings - Fork 8
/
Makefile
182 lines (150 loc) · 7.05 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#DIRECT_IP=YOUR_IP_HERE
INTERFACE ?= lo
SSL=false
LOCAL_VOLUMES=false
REGEX_IFACE := ^[^[:space:]]*:
REGEX_IPV4 := inet \K([0-9]{1,3}[\.]){3}[0-9]{1,3}
IFCONFIG_CMD := /sbin/ifconfig
UID := $(shell id -u)
COMPOSE := docker-compose
export UID
#SET_IP=$(shell $(IFCONFIG_CMD) $(INTERFACE) | grep -P -o "$(REGEX_IPV4)")
SET_IP=$(shell $(IFCONFIG_CMD) $(INTERFACE) | grep 'inet ' | cut -d ' ' -f 2)
GET_CENTRY_VOLUMES=$(shell docker volume ls -q | grep centry)
.PHONY: all list_interfaces ip fix_permissions up down docker_volumes_prune
all:
@echo Please read this info carefully for centry to properly work
@echo ===========================================================
@echo These recipes will help to run centry locally
@echo But first some preconfiguration is needed
@echo ----------------------------------------
@echo 1. Copy config/pylon-example.yml to config/pylon.yml
@echo If needed change conifguration in config/pylon.yml
@echo More in README.md
@echo ----------------------------------------
@echo 2. Configure external APP_IP in .env file
@echo To do so run \`make list_interfaces\`
@echo This will show list of interfaces and their corresponding ipv4
@echo Choose the interface through which you have access
@echo ------------------------------------------------------------------------
@echo 3. Run \`make up INTERFACE=\<name_of_the_interface\>\`
@echo This will setup environment properly and start docker containers
list_interfaces:
$(IFCONFIG_CMD) | grep -P -o "($(REGEX_IFACE)|$(REGEX_IPV4))"
ip:
@echo DIRECT_IP = $(DIRECT_IP)
@echo INTERFACE = $(INTERFACE)
ifneq ($(DIRECT_IP),)
@echo Setting APP_IP in .env to \`$(DIRECT_IP)\`
$(eval IP=$(DIRECT_IP))
else
ifneq ($(INTERFACE),)
@echo Setting APP_IP in .env with ipv4 for \`$(INTERFACE)\` interface
$(eval IP=$(SET_IP))
else
$(error "It is mandatory to set at least one of DIRECT_IP or INTERFACE environment variables! (e.g. `export INTERFACE=eth0` before calling `make up...`)")
endif
endif
sed -i -e "s+APP_IP=.*+APP_IP=$(IP)+g" .env
@echo DONE with IP=$(IP)
fix_permissions:
chmod -R a+rx ./config
chmod -R 700 ./config/traefik/
config/pylon.yml:
./configure_pylon.sh
configure_keycloak_import:
ifeq ($(SSL), true)
$(eval PARAM=external)
else
$(eval PARAM=none)
endif
sed -i -e 's/"sslRequired": ".*"/"sslRequired": "${PARAM}"/' ./config/keycloak/carrier.json
up: fix_permissions ip config/pylon.yml configure_keycloak_import
@echo Edit command based on your needs
@echo By default centry launches with local volumes
ifeq ($(LOCAL_VOLUMES), true)
$(COMPOSE) -f docker-compose.yaml -f docker-compose_local_volumes.yaml up -d
else
$(COMPOSE) up -d
endif
up_with_custom_CA_cert: fix_permissions ip config/pylon.yml
ifneq ($(CUSTOM_CA_CERT),)
@echo Running docker compose with custom CA certificate file: $(CUSTOM_CA_CERT)
$(COMPOSE) -f docker-compose.yaml -f docker-compose_custom_CA_cert.yaml up -d
else
@echo CUSTOM_CA_CERT environment variable is not set, aborting...
endif
up_with_mitmproxy: ip
@(cp ~/.mitmproxy/mitmproxy-ca-cert.pem ./mitmproxy-ca-cert.pem)
$(COMPOSE) create
$(MAKE) mitmproxy_iptables_register
CUSTOM_CA_CERT=./mitmproxy-ca-cert.pem $(MAKE) up_with_custom_CA_cert
down:
$(COMPOSE) down
req:
rm -rf ./pylon/requirements/*
rm -rf ./pylon_auth/requirements/*
down_with_mitmproxy: mitmproxy_iptables_remove
$(COMPOSE) down
pylon_state_clean:
rm -rf ./pylon/plugins/*
rm -rf ./pylon/requirements/*
pylon_auth_state_clean:
rm -rf ./pylon_auth/plugins/*
rm -rf ./pylon_auth/requirements/*
docker_volumes_prune: down
docker volume rm $(GET_CENTRY_VOLUMES)
clean_all:
$(MAKE) pylon_state_clean
$(MAKE) pylon_auth_state_clean
$(MAKE) docker_volumes_prune
docker_system_prune: down
docker system prune -a --volumes
mitmproxy_interface_show:
ip a | grep -o -P "[[:digit:]]+: br-[^: ]+" | sort -t: -k1,1n | tail -n 1 | grep -o -P "br-[^: ]+"
mitmproxy_iptables_register:
$(eval IF=$(shell ip a | grep -o -P "[[:digit:]]+: br-[^: ]+" | sort -t: -k1,1n | tail -n 1 | grep -o -P "br-[^: ]+"))
@echo Registering iptable rules to forward all traffic from $(IF) targeting ports 80/443 to mitmproxy...
@(sudo iptables -t nat -A PREROUTING -i $(IF) -p tcp --dport 80 -j REDIRECT --to-port 8080)
@(sudo iptables -t nat -A PREROUTING -i $(IF) -p tcp --dport 443 -j REDIRECT --to-port 8080)
@(sudo ip6tables -t nat -A PREROUTING -i $(IF) -p tcp --dport 80 -j REDIRECT --to-port 8080)
@(sudo ip6tables -t nat -A PREROUTING -i $(IF) -p tcp --dport 443 -j REDIRECT --to-port 8080)
mitmproxy_iptables_remove:
$(eval IF=$(shell ip a | grep -o -P "[[:digit:]]+: br-[^: ]+" | sort -t: -k1,1n | tail -n 1 | grep -o -P "br-[^: ]+"))
@echo Removing iptable rules to forward all traffic from $(IF) targeting ports 80/443 to mitmproxy...
@(sudo iptables -t nat -D PREROUTING -i $(IF) -p tcp --dport 80 -j REDIRECT --to-port 8080)
@(sudo iptables -t nat -D PREROUTING -i $(IF) -p tcp --dport 443 -j REDIRECT --to-port 8080)
@(sudo ip6tables -t nat -D PREROUTING -i $(IF) -p tcp --dport 80 -j REDIRECT --to-port 8080)
@(sudo ip6tables -t nat -D PREROUTING -i $(IF) -p tcp --dport 443 -j REDIRECT --to-port 8080)
mitmproxy_k8s_iptables_register:
$(eval IF=$(shell ip a | grep -o -P "[[:digit:]]+: br-[^: ]+" | sort -t: -k1,1n | tail -n 1 | grep -o -P "br-[^: ]+"))
$(eval KUBE_PORT=$(shell kubectl config view | grep -oP 'server: https://[^:]+:\K\d+'))
@echo Registering iptable rules to forward k8s traffic from $(IF) targeting port $(KUBE_PORT) to mitmproxy...
@(sudo iptables -t nat -A PREROUTING -i $(IF) -p tcp --dport $(KUBE_PORT) -j REDIRECT --to-port 8080)
@(sudo ip6tables -t nat -A PREROUTING -i $(IF) -p tcp --dport $(KUBE_PORT) -j REDIRECT --to-port 8080)
mitmproxy_k8s_iptables_remove:
$(eval IF=$(shell ip a | grep -o -P "[[:digit:]]+: br-[^: ]+" | sort -t: -k1,1n | tail -n 1 | grep -o -P "br-[^: ]+"))
$(eval KUBE_PORT=$(shell kubectl config view | grep -oP 'server: https://[^:]+:\K\d+'))
@echo Removing iptable rules to forward k8s traffic from $(IF) targeting port $(KUBE_PORT) to mitmproxy...
@(sudo iptables -t nat -D PREROUTING -i $(IF) -p tcp --dport $(KUBE_PORT) -j REDIRECT --to-port 8080)
@(sudo ip6tables -t nat -D PREROUTING -i $(IF) -p tcp --dport $(KUBE_PORT) -j REDIRECT --to-port 8080)
mitmproxy_iptables_list:
@(sudo iptables -t nat -L -v --line-numbers | grep "redir ports 8080")
@(sudo ip6tables -t nat -L -v --line-numbers | grep "redir ports 8080")
mitmproxy_start_transparent:
mitmproxy --mode transparent --showhost
mitmdump_start_transparent:
mitmdump --mode transparent --showhost > mitmlog.log
mitmdump_follow_all:
tail -f mitmlog.log
mitmdump_follow_TLS_failed:
tail -f mitmlog.log | grep "TLS handshake failed"
mitmdump_print_TLS_failed:
cat mitmlog.log | grep "TLS handshake failed"
docker_print_IPs:
@docker inspect -f '{{.Name}} - {{.Config.Image}} - {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $$(docker ps -q)
mitmproxy_prepare_system:
@(sudo sysctl -w net.ipv4.ip_forward=1)
@(sudo sysctl -w net.ipv6.conf.all.forwarding=1)
@(sudo sysctl -w net.ipv4.conf.all.send_redirects=0)
purge: docker_volumes_prune